diff --git a/app/assets/javascripts/discourse/controllers/composer.js.es6 b/app/assets/javascripts/discourse/controllers/composer.js.es6
index d6d1224f5..9e5b2206d 100644
--- a/app/assets/javascripts/discourse/controllers/composer.js.es6
+++ b/app/assets/javascripts/discourse/controllers/composer.js.es6
@@ -67,7 +67,8 @@ export default Ember.Controller.extend({
 
   @computed('model.action')
   canWhisper(action) {
-    return this.siteSettings.enable_whispers && action === Composer.REPLY;
+    const currentUser = this.currentUser;
+    return currentUser && currentUser.get('staff') && this.siteSettings.enable_whispers && action === Composer.REPLY;
   },
 
   showWarning: function() {
diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
index 5ee72c315..b7c321ed9 100644
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -465,7 +465,7 @@ class PostsController < ApplicationController
       result[:is_warning] = false
     end
 
-    if SiteSetting.enable_whispers? && params[:whisper] == "true"
+    if current_user.staff? && SiteSetting.enable_whispers? && params[:whisper] == "true"
       result[:post_type] = Post.types[:whisper]
     end